Slashdot Mirror
Stealthy Dopant-Level Hardware Trojans
DoctorBit writes "A team of researchers funded in part by the NSF has just published a paper in which they demonstrate a way to introduce hardware Trojans into a chip by altering only the dopant masks of a few of the chip's transistors. From the paper: 'Instead of adding additional circuitry to the target design, we insert our hardware Trojans by changing the dopant polarity of existing transistors. Since the modified circuit appears legitimate on all wiring layers (including all metal and polysilicon), our family of Trojans is resistant to most detection techniques, including fine-grain optical inspection and checking against "golden chips."' In a test of their technique against Intel's Ivy Bridge Random Number Generator (RNG) the researchers found that by setting selected flip-flop outputs to zero or one, 'Our Trojan is capable of reducing the security of the produced random number from 128 bits to n bits, where n can be chosen.' They conclude that 'Since the Trojan RNG has an entropy of n bits and [the original circuitry] uses a very good digital post-processing, namely AES, the Trojan easily passes the NIST random number test suite if n is chosen sufficiently high by the attacker. We tested the Trojan for n = 32 with the NIST random number test suite and it passed for all tests. The higher the value n that the attacker chooses, the harder it will be for an evaluator to detect that the random numbers have been compromised.'"
Can an entire three-letter-agency get a corporate hard-on? 'Cause if they can, this gave our favorite one the biggest boner in the known universe.
Is it just my observation, or are there way too many stupid people in the world?
I would guess that an intelligence agency figured this out a few years ago. One that can plant moles at Intel. That's why they also want to remove rdrand from Linux.
http://linux.slashdot.org/story/13/09/10/1311247/linus-responds-to-rdrand-petition-with-scorn
Yes. A device that contains something concealed and malevolent? That's a hardware trojan right there.
What else would you call physical access to your dopant masks? /sarcasm
Repeat after me: physical access to <insert item here> allows for a much greater security risk.
"Heck what about random generator devices?"
The whole point of TFA is about a technique for (mostly undetectably) modifying a good hardware RNG and turning it into a really lousy one.
Getting your entropy from multiple places probably helps (if they don't know what 6 RNGs you chose it's harder to dope them all, and even if they do, they still have to slog through the entropy from multiple crippled sources rather than only a single one (and, while it is possible to cripple the RNG entirely, that will show up on tests, so plausible real-world implementations would still provide some entropy, just less than advertised).
I wonder if they also considered that the NIST random number test suite might also be compromised by the NSA...
"When information is power, privacy is freedom" - Jah-Wren Ryel
1. Changing the dopant in a transistor is undetectable by visual inspection - clearly;
2. Randomness isn't the same as predictability.
I skimmed through the paper thinking that the innovation was that they'd actually been able to modify an Intel chip. But they appear to be saying little more than that you can manufacture a chip "wrongly" (after a LOT of waffle - you'd never get away with this writing math papers!).
There are easy numeric methods for determining how random data is.
Actually, no. Technically speaking, there is no such thing as random data, only a random process. You can certainly test how random a data stream seems, but if the data source is a black box, you never really know.
From TFS:
Since the Trojan RNG has an entropy of n bits and [the original circuitry] uses a very good digital post-processing, namely AES, the Trojan easily passes the NIST random number test suite if n is chosen sufficiently high by the attacker. We tested the Trojan for n = 32 with the NIST random number test suite and it passed for all tests.
What if your black box is just feeding you encrypted bits of pi? You would never know, but the black box's maker could trivially reproduce your "random" numbers.
NSA? Probably not. The Chinese chip fab that has been known to have a third shift and has full access to masks and such? Certainly.
The NSA isn't the only agency wanting to know everything a person does.
All they need to do? It's already been done at the fab! Why else would this be coming out now? These researchers have been under a gag order for years and only now got bold enough to stand up to the NSA.
Opinions above are exaggerated for entertainment purposes only
If I were a disgruntled member of the intelligence industrial complex and knew that this was actually being done by a government agency, and I did not relish the thought of a Russian sabbatical, couldn't I surface the news by telling researcher friends of mine how to do it?
These parts would not pass the standard verification process and would be rejected from being assembled into devices.
Standard testing of ICs for functional faults includes a scan process. Per the design specification that the part was supposed to buildt a number of scan vectors are passed through the devices. These scan vectors check as much of the device as possible. The goal is to check every flop and every logic path between flops. The tests are to detect manufacturing errors. And can find single faults in devices.
Typical errors are stuck at 1 or stuck at 0, also shorts and would easily expose modifications of this sort, especially of such a scale as to radically change things.
Yes, yes it is.
In security, you're trying to change the behavior of corporate drones, idiots, and people who are invested in the status quo. People use these papers as ammunition for that.
The drones will call your attack "theoretical" and "impractical" unless you spell out exactly how to do it, step by step. If they hadn't detailed exactly how to do it, the attitude would basically have been that nobody could possibly figure out the impossible complexity of weakening a REAL RNG. I mean, look at the self tests! Nobody could get around that! In fact, even people who weren't complete idiots might have guessed, at first glance, that the self tests would be hard to defeat, or that you couldn't do this hack without screwing up the chip.
Even with a detailed paper, they will probably be ignored until somebody actually does it in the field. If you wrote a one-pager that said "Warning! Somebody could alter the behavior of gates by tweaking the dopants", they would 1000 percent ignore it.
As for the verbose background information, it's standard in the field (although they went a bit heavy on it). It has zero cost, and readers in the field who don't need it simply skip it. So I don't know why you're getting so upset about it.
Please don't trash people's work in fields you don't even slightly understand.
Given Hanlon's razor, an accidental, rather than malicious, error in doping would be even more likely. If the chip were inadvertently doped incorrectly, it would pass visual inspections and even software tests without awareness of the defect. How many defective dice, not merely with RNGs but also with other circuits, are already in service due to inspection failures?
Although this paper shows how insidious a threat from a well-funded adversary might be, even more it shows the need for more comprehensive inspection mechanisms to discover misdoping which might go undetected by existing standard procedures.
BTW, the paper includes a well written and readable introduction to the context of the problem. Good job.
no there aren't. The digits of pi have no patten other than being the digits of pi, so they will pass a random number tests. A good pseudo random number generator will pass randomness tests, but can be easily reproduced if you know the starting seed. Also putting a simple sequence (1,2,3,4...) through an encryption algorithm will give you an output that passes randomness tests.
Comment removed based on user account deletion
The NIST 800-22 test has bit length parameters. The article doesn't indicate if it passed the 128 bit NIST test after they reduced the entropy to 32 bits, only that it passed *some* NIST test. From another poster it seems the standard NIST parameters used for the NIST test may not be sufficient to test that the prng exhibits the level of entropy that people are relying on it to exhibit. The lavarnd folks pass a billion bit NIST test, so it is possible to run longer versions of the test. If the reduced entropy source is still passing a higher entropy test, we have a problem with our testing method.
Your other (very valid) point is that just because data is random, doesn't mean you are secure. The data stream has to be both random and unknown to your attacker, which PI would not be. In this case they do not have a way to set the seed, or all inputs to the prng, only to limit the prng's bit length, so the attacker will not know the random sequence or even its statistics. It simply makes a brute force attack much less time consuming.
It still concerns me that a 32 bit prng might have passed a 128 bit 800-22 test. Does anyone know more about that aspect of it?
refactor the law, its bloated, confusing and unmaintainable.
This is not my field by a long stretch. After reading the pdf this morning, what I got from the paper was a method to undetectably make relatively easily-done changes to various transistors such that those changes offer an entry point for external reading and possibly manipulation to potentially useful effect within real-world manufacturing methods. Do this, pwn chips. Profit.
What these guys have done strikes me as impressive - and wonderfully, elegantly sneaky. I know there are some design and fab people here - what say you?
Sure, it's obscure, except all our chips are being made in a country that is actively in an electroni
THE PEOPLE'S GLORIOUS REPUBLIC DENIES THESE CLAIMS.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
As a person who has worked in semiconductors since the first SSI 7400 , I can say for certain that many things have been done and there are some really talented people who can do things that -almost- defy reason. I know that engineers put their own little signatures in ASICs and that some engineers are far more competent than can be understood by most. I have seen many circuits that were situationally controlled or externally controlled by means that would not be obvious without an understanding of the physics, electromagnetic conditions, and software. It can even be done at the layout level. Early CMOS was notoriously susceptible to EM induction. I have seen a board that used an unconnected trace to an input pin used as an RC circuit.
The greatest problem that I see in this type of behavior is that it assumes perfect security and there is no such thing. If you put a means to invade or disable systems in all products, you are hurting every individual and business. If you also create a system where people cannot verify your identity as a secret police without committing a crime, you have created a back door in the social engineering realm. If I am party to a security request, I then know what documents, methods and verifications are being used and thus it can be used as a spoof attack on anybody else with little chance of discovery.
I would not be the least bit surprised if it was discovered that IBM, INTEL, Motorola, and others were subjected to this same security theater. The problem with hardware is that once the flaw becomes exposed and if it is bad enough, the entire system must be replaced. It is rational to have different circuitry for military applications, but when it creeps into consumer and business products it is wrong in many ways and though the intent may be for the military to do what it thinks will solve -their- problem, without oversight it becomes paradoxical and if they destroy the means to do business and make profit through their tampering, then it is full circle and the funds and efforts that support the government and military are damaged.
The problem is in oversight, defence must be limited in its scope of action. Isn't this what all the fuss is about with Syria and Iraq? The convential military action is assumed to have overstepped the boundaries into what is consired socially acceptable and this NSA condition is no different. It is a failure in leadership and oversight that offends the sensibilities. Nazi Germany had a very effective military and it would have been a non-issue if they had been guided by people with empathy and reason.
Say what!? Optical inspection at 14 nanometers? Did I miss a memo or something?
You can still generate an arbitrary amount of entropy with a compromised RNG if you know it's compromised. Let's say you have a ridiculously compromised RNG with only 1-bit of entropy and 32-bit output, such an RNG could trivially fail statistical tests, if it used simple combinatorials to mix the nth output with the n-1th output, or it could be almost undetectable, if it uses complex combinatorials, such as the AES method used in the Intel RDRAND. In either case, each word will contain some entropy, even if it is much less than stated "on the box".
Let's say it outputs a 32-bit word (the RDRAND32 instruction does), and each word is supposed to contain 32-bits of entropy (I dunno), but only contains 8-bits of entropy. If I mix 4 words of output to produce an output of 32-bits, I have reliably produced 32-bits of entropy.
The danger here is that a software implementation takes the manufacturers word on the entropy content of the output, since we can't distinguish between genuine entropy and the output of a strong cipher with a hidden state (as is the case in RDRAND), rather than mixing the RNG output down to a smaller number of bits (for example by chain-ciphering N consecutive words of RNG output together to form one word of output).
One potential mitigation to most of these compromised RNG scares is to have the user initialise an S-box or cipher key manually (flip coins, roll dice), and feed all RNG output through a strong cipher in feedback mode. The predictability of the RNG is no longer usable for cryptanalysis as the output of the cipher is not predictable without breaking the cipher and discovering the key. The key can't be discovered by cryptanalysis, because it's only ever used to cipher "random" (though partially compromised) input, and cryptanalysis of users of the RNG is thwarted because there is no longer identifiable correspondence between the RNG output and the random values used. Even if the key for the random post-processing is known, the correspondence between random-system output and RNG output is non-trivial, and there is no way to know the internal state of the ciphers feedback register, as it is constantly accumulating partial entropy from the RNG, which is never revealed.
Most of this doesn't apply to fake RNGs (PRNGs) which have been compromised to generate no entropy after initialisation, as eventually sufficient state will percolate through the cipher to regenerate the seed value and a sliding window attack will recover the offset. Unfortunately a PRNG can be designed to be statistically indistinguishable from an RNG for computationally impractical long runs of output 2**96 bits or longer if the internal state of the PRNG can't be obtained (many existing block ciphers fulfill this requirement).
The descibed attack seems to describe weakening the entropy of the RNG rather than reducing it's entropy to an initial constant, and so while less than ideal, would not compromise a prudently designed random number system.
I looked at the paper from CRI, they apparently did do testing on the raw (pre-whitening) entropy source on test chips that give direct access to it. Unfortunately the goal of that audit was to build confidence in the general design, the NSA wasn't an issue when that was done.
What I take away from this is - the good news is, the RDRAND circuitry has an open, well documented design which is apparently robust. Thus, if we can obtain confidence that it's not backdoored by the NSA, it's a great feature to have. Note to people talking about China, etc, Intel run all their own fabs. The chance of a technique as complicated as crypto backdoors using dopant trojans being inserted into the manufacturing process inside Intel-controlled fabs is close to zero. If it's done, it's done with the knowledge and co-operation of management.
The question is how can the world build such confidence? The standard way would be to decap some randomly chosen chips and analyze with an SEM, but I have no idea if that's feasible for something as complicated as a modern Intel core. Presumably Intel themselves can do it for debugging purposes, but whether it can be done in the absence of lots of proprietary information is unclear. Also, the output of RDRAND could presumably be patched using microcode updates, so just because the chips ship without a backdoor doesn't mean one couldn't be introduced later through a firmware/BIOS update.
This can only be used for attacks on things that can be compromised in a way such that they do not need to perform their original function perfectly anymore. A CPRNG is an ideal target, as it does not need to produce good _and_ bad number after the attack, it is sufficient if it produced bad numbers that look good. The AES whitener in the CPRNGs this was demonstrated on make this very easy and while it looks convenient, it may have been inserted in there exactly to make compromised versions of this CPRNG hard to detect. On the other hand, if you attacked, say, a hash function or a block cipher in this way, it would start producing wrong outputs, potentially for a large number of cases and not only would it fail at its original function, this would also be pretty obvious.
Still, this is a significant attack and underlines why a single source of entropy should never be fully trusted and that CPRNGs should always be open software and use multiple entropy sources that get mixed.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Sabotage would be to make something stop working. The mentioned chips will work just fine, but their RNGs will be predictable. Only the ones who caused it know and will take advantage of it. Looks like a trojan to me.
So all the NSA needs to do is kidnap your chip, microscopically re-dope it, and shove it back in your computer without you noticing!
They could have a batch of compromised chips and replace the one in your computer.
Would you ever know? I really doubt it.
The fact that Windows wants you to reactivate would be your first clue.
If the RNGs aren't producing numbers as "random" as claimed, then it's not working. It's sabotage.
No, it's not. Saboteurs break machines and bring them to a halt. Check the etymology.
Actually, you should check the etymology. There's no evidence for the old story about people throwing their shoes into the machines.
Even if it was, there's no requirement for there to be a stoppage of production, there's just the requirement of the actors maliciously disrupting the process.
An RNG that doesn't output "random" numbers to spec is BROKEN. Anyone intentionally causing that is engaging in SABOTAGE.
Well, there goes the mod I plopped in, but...
1) Intel's high-end chip fabs are in Oregon, Arizona, California... not exactly close to Beijing. (They're still building some rather massive additions to their Ronler Acres fab up here in Oregon).
2) ARM chips, on the other hand (e.g. tablets and smartphone bits)? In that case I hereby petition Slashdot to introduce the "scary as fuck" mod.
Quo usque tandem abutere, Nimbus, patientia nostra?